Configuration
XACML (Extensible Access Control Markup Language) is an open standard XML-based language designed to configure security policies and access rights to information for Web services. It supports fine-grained, attributes based access control definitions and supports composing of policies by reusing those low-level definitions.
This section helps to configure XACML for below services.
PDP Configuration is disabled in the following stacks, by default.
Azure
To deploy in Azure, set the following PDP configuration properties in both install.sh/install-postgresql.sh and install.bat/install-postgresql.bat.
install.sh/ install.bat
REM PDP Configuration SET AUTHZ_ENABLED="false" SET PDP_CONFIG="classpath:xacml/pdp-config.xml" SET PDP_RESOURCE_TYPE="API" SET PDP_RESOURCE_MANAGER="PARTY" SET temn_entitlement_service_enabled="false"
AWS
To deploy in AWS, set the following PDP configuration properties in install-aws.sh and install-aws-postgresql.sh.
install-aws.sh
#--- PDP Configuration ---
export LAMDA_CONFIG="DATABASE_KEY=\"dynamodb\",temn_msf_security_authz_enabled=\"true\",temn_entitlement_service_enabled=\"false\""
export PDP_CONFIG="classpath:xacml/pdp-config.xml"
export PDP_RESOURCE_TYPE="API"
export PDP_RESOURCE_MANAGER="PARTY"
export LAMDA_CONFIG=${LAMDA_CONFIG},PDP_CONFIG=${PDP_CONFIG},temn_msf_pdp_resource_type=${PDP_RESOURCE_TYPE},temn_msf_pdp_resource_manager=${PDP_RESOURCE_MANAGER}
K8
To deploy in K8, go to \ms-party-package\ms-party-package-docker\src\docker\k8\on-premise\svc\templates\svc\ and configure the following PDP configurations in party-configmap.yaml which in turn will refer the Values.yaml file for the value of the respective JWT configuration properties.
party-configmap.yaml
#--- PDP Configuration ---
temn.msf.security.authz.enabled: {{ .Values.env.security.temn_msf_security_authz_enabled | quote }}
PDP_CONFIG: classpath:xacml/pdp-config.xml
temn.msf.pdp.resource.type: API
temn.msf.pdp.resource.manager: PARTY
temn.entitlement.service.enabled: {{ .Values.env.entitlement.temn_entitlement_service_enabled | quote }}
start-party-mongo.bat
SET temn_msf_security_authz_enabled=false SET PDP_CONFIG=classpath:xacml/pdp-config.xml SET temn_msf_pdp_resource_type=API SET temn_msf_pdp_resource_manager=DUEDILIGENCE #--- ENTITLEMENT PROPERTIES SET temn_entitlement_service_enabled=false
If value for a property has not been set in start scripts, then the respective JWT configuration properties's values will be taken from values.yaml.
Values.yaml
#--- PDP Configuration --- security: temn_msf_security_authz_enabled: false entitlement: temn_entitlement_service_enabled: false
In this topic